Experts warn 'don't ignore Office bug'

Microsoft has brushed aside a potentially devastating vulnerability within its Office suite, according to security experts.

After the vulnerability was reported earlier this week, Microsoft responded by saying it was of low risk because there "isn't a compelling exploit scenario". However, security experts have disagreed and suggested various methods through which crackers could exploit the problem.

The vulnerability may allow arbitrary programs to be executed by double clicking on a Microsoft Office document from Windows Explorer, or by launching a document from the Start/Run menu. The exploitation works in conjunction with particular dynamic link library (DLL) files that could be linked to malicious code.

Paul Rogers, network security analyst at security consultancy MIS, said that it had advised its clients to put in place mail filtering in order to quarantine emails with DLL attachments in order to protect their systems.

"Microsoft needs to revisit this problem because there are a number of ways to exploit it. For example, someone could break into a corporate network then upload a Microsoft Office document along with a Trojaned DLL file and then sit back and wait for someone to open a document," said Rogers.

"The vulnerability makes breaking into and accessing restricted areas much easier. People could create super-users or administrator accounts - the possibilities are endless," he added.

Other security experts said the importance of the vulnerability was that it might be used in combination with other attacks, particularly if an attacker had already gained access to a system.

Louis-Eric Simard, an independent Security Consultant, has sent an email to the Bugtraq security mailing list showing how a intruder could take control of a Windows environment by sending one or more emails containing malicious attachments provided the victim is using Eudora as a mail client.

Because Eudora saves all attachments in a single directory upon receiving an email, a mail message need not be open for its attachment to be decoded and saved in that common directory.

According to Simard, this means and attacker need only send an email with a Trojaned DLL, along with or followed by an email containing a Word document, in order to execute an attack.